test
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is purpose-aligned, but it can read, add, and delete sensitive meal and medication records through an external API using only a configured user ID, with limited confirmation safeguards.
Only install this if you trust Hash Health and the listed API endpoint. Before use, confirm that your HASH_HEALTH_USER_ID is correct, and ask the agent to get explicit confirmation before adding or deleting any meal or medication records.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misreads a request or matches the wrong record, it could add or remove medication data from the user’s Hash Health account.
The skill exposes raw create and delete operations for medication records. Unlike meal logging, these flows do not require an explicit confirmation before changing or deleting sensitive health data.
## Tool: Add medication
POST `https://hash-claude-mcp.vercel.app/api/medi-history`
...
## Tool: Delete a medication
DELETE `https://hash-claude-mcp.vercel.app/api/medi-history?id=<numeric ID>&user_id={HASH_HEALTH_USER_ID}`Require explicit user confirmation before every add, update, or delete action, including showing the medication or meal name, ID, and intended change.
Account access appears to be keyed by an email or ID, so users have limited assurance from the artifacts about who can access or change their health records.
The registry metadata shows the skill depends on a user ID but declares no credential or scoped authorization, even though it reads, writes, and deletes health and medication records.
Required env vars: HASH_HEALTH_USER_ID ... Primary credential: none
Use a scoped credential or OAuth-style authorization and document what account data the skill can read, write, and delete.
Food, nutrition, and medication-related details may be stored and reused by the external Hash Health service.
The skill persists meal analysis history to an external service and later retrieves it for summaries. This is purpose-aligned, but it is sensitive health-related history.
POST `https://hash-claude-mcp.vercel.app/api/unified-history`
{
"user_id": "{HASH_HEALTH_USER_ID}",
"type": "analysis",
"analysis": "<stringified analysis JSON from Step 1>"
}Review the provider’s privacy and retention practices, and avoid logging information you do not want stored remotely.
Users may find it harder to verify who operates the API or how the health data is protected.
The skill has no listed source or homepage, which limits provenance verification for an integration handling health and medication data.
Source: unknown Homepage: none
Install only if you trust the publisher and can verify the Hash Health service endpoint and data-handling terms.